Configure periodic re-authentication to maintain security compliance for Prisma
Access Agent deployments.
| Where Can I Use This? | What Do I Need? |
|---|
Prisma Access Agent continuously validates user trust through background
authentication processes that do not interrupt user activity. Customizable
authentication timers extend this capability by giving you control over when users
must explicitly re-authenticate by providing their credentials. This allows you to
align authentication intervals with your organizational security policies and
compliance requirements.
Re-authentication Frequency
You can define the frequency that determines how often users must provide their
credentials. This frequency applies globally across your deployment and directly
controls the user refresh token lifetime. You set this interval between 10 hours and
30 days, with a default of 7 days.
Notification Settings
To prevent workflow disruption, you configure notification timers that alert users
before their authentication expires. You specify how many minutes in advance users
receive warnings, with a range of 5 to 120 minutes and a default of 60 minutes. You
can also customize the notification message that displays to users. If you leave the
re-authentication notification message empty, the agent displays a default
message.
Gateway Session Timeout
The gateway session timeout operates separately from re-authentication frequency and
controls how long an established connection to the gateway remains valid. You
configure this timeout at the Agent Settings level, with values ranging from 2 hours
to 30 days and a default of 10 days. This setting was previously named
Session Timeout and has been renamed to
Gateway Session Timeout for clarity. The notification
settings that were previously configurable at the agent level now map from the
Global Agent Settings.
Gateway Session Extension Behavior
When the Gateway Session Timeout is reached, the gateway
session extends automatically in the background. No user action or notification is
required.
Dynamic Privilege Access tenants provide the
Aggressive Authentication setting for stricter security
enforcement. For Dynamic Privilege Access-enabled Prisma Access Agents, the
gateway session extension behavior depends
on the
Aggressive Authentication configuration.
User Experience
When users reach the re-authentication threshold, their
experience varies based on your configuration and their current connection state.
Connected users receive notifications at the configured time before
re-authentication. When users click on the notification, the agent initiates the
login workflow while the existing tunnel remains up and backend jobs continue
uninterrupted. If users do not complete re-authentication before the deadline, the
user interface signs out from Endpoint Manager and users must re-authenticate to
restore access.
For authentication methods using LDAP with saved credentials or client certificates,
re-authentication notification does not apply. The agent automatically authenticates
and refreshes tokens without explicit user prompts.
Complete the following steps to maintain security compliance for your Prisma Access
Agent deployment.
